News Blog

Someone apparently hacked into a computer belong to an employee of MTV Networks and possibly gained access to names, birth dates, social security numbers and compensation data of 5,000 employees.

MTV Networks, a unit of media conglomerate Viacom, notified employees of the security compromise on Friday and said that while the computer files pertaining to employees' private information were password protected, the company can't be sure they haven't been opened.

"Once we learned of the incident, we immediately launched an internal investigation," the company said in a statement. "We ... contacted appropriate law enforcement authorities, who have begun a criminal investigation."

The company apologized to employees and provided phone numbers to credit-monitoring services to help protect them from identity theft.

Customers of HSBC, Bank of America, and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an investigative study released Wednesday by a UC Berkeley Law School researcher.

The Federal Trade Commission received over 245,000 reports of identity theft in 2006, but does not typically publish the names of the financial firms and companies listed in the reports. Through an extensive Freedom of Information Act request, Chris Hoofnagle, a staff attorney at UC Berkeley's Boalt School of Law, was able to get detailed records on the individual consumer complaints.

Hoofnagle received detailed information for three randomly chosen months in 2006: January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions identified by victims.

Estimated Annual Incidents Per Billion in Deposits Among Largest US Banks (2006)

(Credit: With permission from Chris Hoofnagle)

Once he crunched the numbers, Hoofnagle discovered that HSBC has the highest rates of reported identity theft in the financial industry during 2006, when adjusted for billions of dollars in deposits. Bank of America and Washington Mutual came in a close second and third. According to Hoofnagle's stats, HSBC had 21 incidents of identity theft per billion dollars in deposits, Bank of America/MBNA had about 17, while Washington Mutual had 16. Online banking leader ING had the lowest rates in the industry, with just a single reported incident.

Technically, American Express and Capital One lead the pack--with 485 and 242 respective incidents per billion dollars in deposits. However, Hoofnagle excluded them from the graph due to the small scale of each company's banking operation (Amex's 7 billion in deposits compared with Bank of America's nearly 760 billion).

Outside of the financial services sector, telecom giants AT&T and Sprint suffered from more than 9,100 and 8,300 estimated reported cases of identity theft. As the firms do not publish the numbers of customers they serve, it was impossible for Hoofnagle to break these numbers down further.

While the FTC incidents that Hoofnagle examined were from 2006, a number of recent reports indicate that HSBC has recently been overwhelmed with a "a wave of banking fraud." Real numbers to back up these reports will not be available from the FTC for some time.

The levels of theft described by Hoofnagle's match up nicely with a 2007 report released by Cambridge University researchers, which revealed that Bank of America and Washington Mutual took the longest time to shut down phishing sites targeting the banks. Sites masquerading as BofA and Wamu typically stayed online for more than 100 hours, compared with less than two days for Chase and PayPal.

Finally, while the FTC publishes an annual identity theft report, it is not required to break down its figures and reveal the names of the most frequently victimized banks. While states like California have been able to pass significant pro-consumer data breach legislation, this is one area where states have little power. Incidents of identity theft are primarily reported to the FTC, and not to state attorneys general. To force the FTC to voluntarily publish such data, federal legislation will be required--something that is unlikely to happen.

Hoofnagle's 16-page study, with detailed numbers and graphs, can be found here.

Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.

A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.

This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.

In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) to draft and submit a data-breach bill. The bill fixed a number of major loopholes in the existing laws and borrowed heavily from existing laws in pro-consumer states such as New York, California, and New Hampshire.

It also broke new legal ground and would have made Indiana the first state in the country to require that all data breach reports impacting state residents be put online at the state attorney general's Web site. This is something that the New Hampshire Department of Justice already does, but out of a voluntary effort to help consumers and not due to a legal mandate.

Indiana's existing data-breach statute has a number of major loopholes. The most critical of these is that companies are not required to disclose a data loss/theft incident, as long as the device in question is protected with a password. The law does not require encryption of all confidential user data, but instead lets companies off the hook as long as they employ a Windows log-in password. These passwords do little to protect data, as they can be broken in a matter of seconds using free tools--or an attacker can use a Linux boot CD to read the data directly off the drive.

In a committee meeting Tuesday morning, Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped. A section of the bill that created incentives for companies to follow encryption and key management practices "in a manner consistent with the best practices common in the industry" was also removed.

Thankfully, the most important part of the bill (which requires real encryption and not just a Windows log-in password) remains, for now.

It only took six votes to completely gut the bill--as the other five members of the committee failed to show up for the vote. On Tuesday afternoon, I spoke with state Sen. Tim Lanane, one of the two Democrats who voted on the bill.

"I certainly didn't support the amendment," he told me, "but I also heard Rep. Pierce (the author of the bill) say that he preferred to have a bill pass, as opposed to it dying in committee."

Lanane told me that his vote was strategic, as he knew that "the (Republican) chairman was not likely to pass the bill (as originally written). Rep. Pierce knew that too." In the end, he added, it was "better to have something come out of committee rather than nothing."

Lanane told me that it is still possible to have the original pro-consumer provisions added back into the bill once it reaches the full Senate, and later if it comes up in a House/Senate conference committee.

The bill sailed through the House of Representatives a few weeks ago, passing 94-0. Unfortunately, when I drove up to the state capital last week to testify in front of a Senate committee, I discovered that big business was gunning after the bill.

At least 10 lobbyists were waiting at the committee meeting, many having flown in from Washington D.C., and were going to do their best to have the bill eviscerated. The lobbyists represented household names such as AT&T, Microsoft, Verizon, Comcast, and LexisNexis.

The lobbyists claimed that consumers could be easily confused by online breach reports, that such reports could be misused by evil phishers and fraudsters as a way of adding authenticity to their attacks, and finally that the reports could act as an unfair scarlet letter for companies that make mild data-breach mistakes.

The New Hampshire Department of Justice has posted data breach reports to its Web site for over two years. In order to learn more about the site, I recently spoke with Lauren Noether, the bureau chief of the New Hampshire DOJ's Consumer Protection Office. She told me, "I think it's important for the public to know that there are these types of breaches." She added that "any information that helps a consumer to make decisions about with whom they want to do business is helpful."

With regard to the reports, she stated that "we have them online so that anyone--the media, the public--can look at them, just to see what's out there in the world of security problems."

She also noted that the reports have been useful for businesses that have recently suffered a breach. "People have called me and asked do I have a form?" She said that she is able to tell them that "you may want to take a look at the ways that other companies have reported it to us."

Noether told me that that she hasn't heard a single complaint about the Web site and that she hasn't received any information to suggest that criminals were using the site to add credibility to their phishing attacks.

So much for the claims of the lobbyists. It's worth noting, however, that LexisNexis, one of the firms that flew a Washington D.C. lobbyist to Indianapolis to testify against the bill, has three different data breaches from 2007 listed on the New Hampshire DOJ site. Perhaps the company should spend more resources on protecting its customers' data, and less on lobbying?

Update: The text below was deleted from the post on February 18th. More details on its removal can be seen here. The original text has now been put back.

AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).

I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.

Update 2: When I wrote that original blog post back in February, detailing which members of the committee had received donations from AT&T, I neglected to do a bit of research. My efforts had been focused on just the members of the Senate Committee. I completely forgot to look up the donation history of Senator Brandt Hershman, the Republican Majority Whip, Senate "sponsor" of HB 1197, and the author of the amendment that stripped away 3/4 of the provisions in the original bill.

It turns out that while the senators on the committee each received $2000 from AT&T over the past few years, Senator Hershman has received even more love from Ma' Bell. He received $4000 from AT&T in 2004, and another $2500 in 2006 -- AT&T was his top contributor that year.

Again, just as with the other senators, I'm in no way claiming that Senator Hershman's actions were motivated by the big fat checks he received from AT&T. I am sure that he amended the bill to strip out the parts hated by lobbyists only after carefully considering the issues, and coming to the conclusion that Indiana consumers do not need an easy way to find out about companies that lose their personal data.

UPDATE: See below for TSA's response.

A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft.

The report (PDF) also reveals that a no-bid contract to create the site was awarded to an outside company by a TSA employee who had previously worked for that company. Was this just business as usual at TSA?

In October 2006, the TSA launched a Web site to help travelers whose names were erroneously listed on airline watch lists. This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers.

The report notes that TSA's chief information security officer conducted a detailed security accreditation review of the traveler redress site before it went live. He/she did not notice any of the glaring holes that I highlighted in my initial blog post on the subject. The report does not note whether the chief information security officer was ever punished for this failure to detect obvious flaws.

For the four months that the site was up, thousands of people visited it, and 247 travelers submitted highly personal information (including their Social Security number and place of birth) through an insecure, non-SSL encrypted form. TSA's lax security practices resulted in thousands of Americans being put at a direct risk of identity theft.

The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site.

In addition to noting the security problems on the site, I also expressed significant skepticism regarding Desyne Web Services, the Virginia-based Web site design firm that was running and operating the site. In my original blog post, I wrote:

"This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract? Why can't TSA do a simple form submission themselves?"

My initial concern seems to be well founded, as the newly released report reveals. The TSA official in charge of the project awarded the contract--without competition--to one of his former employers, a company owned by one of his high school buddies.

Proving that this is just business as usual for TSA, the report notes that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."

UPDATE: When reached for comment, TSA spokesman Christopher White stated that "every issue that the committee brought up has been addressed many months ago. We are not interested in rehashing last year's issues."

When asked whether TSA is concerned with the ethical concerns that surrounded the no-bid sweetheart contract, he stated that there are "no ethical issues (to be) brought up. We hold ourselves to very high ethical standards. It is useless for the American public to rehash this old garbage that doesn't exist today."

He also stated that "many many months ago, when this was a legitimate issue, TSA did notify each person who may have been affected." However, he said, TSA "did not offer to pay for credit monitoring" for those passengers. He stressed that, "we have absolutely no indication that anyone's identity has been misused as a result of this incident."

White could not immediately answer questions related to the complete lack of sanctions for the TSA employee managing the contract and promised to get back to me after looking into the issue.

For those readers who are not aware, the FBI conducted a 2 a.m. raid of my home back in October 2006, after I created a Web site demonstrating the ease with which passengers could create fake boarding passes. After the FBI dropped its investigation, the TSA investigated me for six months and threatened me with tens of thousands of dollars in civil fines. No charges were ever filed.

I discovered the initial security flaws in TSA's redress Web site, and the congressional investigation is a direct result of a blog post that I wrote in February 2007. I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.

It's poetic justice, if you will, for the unpleasantness that TSA put me through.

Desyne, the firm that created the Web site, could not be immediately reached for comment.

A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened. This blog post explores the latest incident, looks back to the past, and then concludes with a more broad analysis.

Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address. Writing in the Times, he claimed that "All you'll be able to do with [the account numbers] is put money into my account. Not take it out. Honestly, I've never known such a [fuss] about nothing."

The following week, he changed his tune after learning that an identity thief with a sense of humor had used the details to create an automatic bank transfer to the charity Diabetes UK.

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said. "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.

Admitting the error of his previous article dismissing identity theft concerns, he wrote that, "I was wrong and I have been punished for my mistake." The incident seems to have changed his opinion about the risks to which the 25 million Brits have been exposed. "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."

While news of Mr. Clarkson's woes has been mentioned around the blogosphere in the past few days, no one seems to have connected the dots to another similar event from 2006.

Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters.

Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number.

While the BBC's Clarkson can be forgiven for not hearing about the woes of LifeLock's CEO, I think an important lesson can be drawn from these two incidents: Identity theft is real, and easy to commit with just a few bits of personal information.

I've been mildly jealous of Mike Godwin and Prof. Ed Felten for sometime--as they both have 'laws' named after them. I think it's time for my own.

Thus, I now introduce Soghoian's Law of Identity Theft Stupidity: Anyone who publishes their own private financial details in a public discussion of identity theft will eventually find that information used for fraud.

Identity theft victims would be allowed to request monetary compensation for the time they spent getting their lives back in order under a bill approved by a U.S. Senate panel.

The Identity Theft Enforcement and Restitution Act of 2007 would allow those who fell prey to identity fraud to seek "criminal restitution"--that is, payouts from the offender in a particular case--for time "reasonably" spent correcting "actual" or "intended" harm.

While potentially significant, it's unclear exactly how much of an impact the legal changes would make, should they be made law (and they're a few steps off from that yet).

According to a Javelin Strategy and Research survey of 5,000 American adults released earlier this year, the number of identity theft victims has declined in recent years, as has the amount of time spent dealing with those harms.

In 2003, there were about 10.1 million adult victims of identity fraud in the United States, but that number dropped to about 8.4 million this year. Meanwhile, the average number of hours each victim spent resolving those issues declined from about 40 hours in 2003 to 25 in 2007.

Threaten to steal data, end up in prison?
The Senate bill transcends identity theft-related issues, crossing over into cybercrime. It also includes rewrites to federal computer crime laws that are designed to make it easier for police to punish hackers, keyloggers, and spyware purveyors whose acts may not do quantifiable damage.

Under current law, federal prosecutors can go after only computer crimes that result in at least $5,000 in damage or losses to a victim's computer. Current law also requires that hacking cross state borders, immunizing from federal prosecution crimes in which the hacker and the victim are in the same state. But the approved Senate bill would remove those requirements in criminal cases.

The bill would also make it a felony to damage 10 or more computers with spyware or keyloggers, regardless of how much damage is done. It would create a new crime: threatening to steal or release information from a computer, with the intent to extort money or anything else of value from the person being threatened. Those offenses would carry up to five years in prison, fines, or both.

The Senate bill also adds additional penalties for cybercriminals. They'd be forced to give up any property used to commit their crimes or obtained in the process of those activities.

Sen. Patrick Leahy (D-Vt.), who sponsored the bill along with Sen. Arlen Specter (R-Penn.), said the proposal contains "important and long-overdue steps to protect Americans from the growing and evolving threat of identity theft and other cybercrimes."

The measure doesn't appear to be particularly controversial. It's backed by the U.S. Department of Justice and the Secret Service, and it has also drawn support from a diverse set of groups, including the AARP, the Consumers Union, the Cyber Security Industry Alliance, and the Business Software Alliance, Leahy said. The BSA, for its part, said it would be pressuring the House of Representatives to act this year on a similar proposal, as well as pressuring the full Senate to bless the bill approved in committee Thursday.

Still worried that peer-to-peer filesharing networks like Lime Wire are causing users to "inadvertently" expose sensitive documents, posing potential security risks, members of Congress are now asking for a formal investigation into the phenomenon.

The latest concern from the House of Representatives Committee on Oversight and Government Reform, judging by a 7-page letter (click for PDF) dated Wednesday to Federal Trade Commission chairwoman Deborah Majoras, appears to be this: Peer-to-peer networks may make unsuspecting consumers vulnerable to identity theft.

The same group of politicians, led by Reps. Henry Waxman (D-Calif.) and Tom Davis (R-Va.), suggested earlier this summer that peer-to-peer networks can pose a "national security" threat by allowing users to expose sensitive information unwittingly. (Some politicians, particularly those with entertainment industries in their districts, also took the opportunity once again to condemn unlawful transfer of copyrighted content via the networks.)

The committee members asked the FTC, the federal agency charged primarily with consumer protection, to outline any risks it believes are associated with peer-to-peer filesharing and whether it specifically considered the "impact" of peer-to-peer filesharing when it devised recommendations for fending off identity theft.

The letter closes by asking the federal regulators to reveal whether they feel they have sufficient enforcement powers to "address problems associated with inadvertent filesharing"--and if not, of course, what Congress could do to help.

Lime Wire and the peer-to-peer community have long defended their services, saying they're increasingly incorporating features designed to give users clear warning before they open up, say, their entire My Documents folder to the whole world.

There was no immediate word on how the FTC plans to respond.

In what federal prosecutors are calling the first case of its kind, a Seattle man on Thursday was arrested for allegedly using the popular Lime Wire peer-to-peer file-sharing software to get access to tax returns, credit reports, bank statements and student financial-aid applications housed on hundreds of computers across the United States.

The scheme allegedly undertaken by 35-year-old Gregory Kopiloff worked something like this, according to the U.S. Department of Justice: He'd use identity information gleaned from those documents to open credit accounts over the Internet, buy goods over the Internet, ship them to various mailboxes in the Puget Sound area and resell the merchandise for about half its retail price. Investigators said his scheme had nabbed 80 victims and racked up more than $70,000.

"Law enforcement has known for some time that criminals are exploiting peer-to-peer file sharing to secretly gain remote access to victims' computers to search for personal information," Jeffrey Sullivan, U.S. Attorney for the Western District of Washington, said in a statement.

If the charges of mail fraud and "accessing a protected computer without authorization to further fraud" hold up, Kopiloff could face up to 20 years in prison and a $250,000 fine. If convicted on an "aggravated identity theft" charge, his prison sentence would be increased by two years.

From the outside looking in, it seems likely that the alleged thefts occurred because the "victims" in question--or perhaps users who shared their computers--accidentally configured their software in a way that exposed directories containing the sensitive items.

CNET News.com readers may recall that Lime Wire's CEO caught an earful from Congress earlier this summer at a hearing in which politicians claimed peer-to-peer networks pose a threat to national security because of the possibility of such "inadvertent" file sharing. Lime Wire at the time vigorously defended itself, maintaining that its product offers its users ample warnings designed to ensure they don't select vulnerable folders for sharing with others.

But one has to wonder if the criminal allegations revealed Thursday will inflame those earlier arguments that the peer-to-peer software maker hasn't made it clear enough how to close off certain directories to outside snooping. Lime Wire, for its part, has some tips on how to make sure the software is set up to your liking.

Malicious attackers beware, a Monster may be coming after you.

After a malicious attackers pilfered job candidate information from its job seeker database, Monster located the attacker's rogue server and pulled the plug, the company announced Wednesday. But fallout from that episode remains.

The hooligans, who loaded a Trojan horse called Infostealer.Monstres on the company's resume database, got access to job candidates' names, addresses, phone numbers and e-mail addresses.

They weaseled their way in by gaining access to a legitimate log-in credential reserved for employers, via a computer that had been infected with the malicious software.

Now, Monster is assessing the extent of the damage. The company is investigating the number of job seekers who were affected and will be contacting them. Monster is also offering information on avoiding online scams, phishing and fraud during a job search.